10-14-2011
Who deleted my files
Just looking for some guidance on how to figure out who might have deleted some files off one of my systems.
These files are not root owned files so could be deleted by a handful of folks in the group responsible for these files besides the root users.
Anyway I have been tasked with trying to figure out where they went. I can see from our backup server they were there on Sept. 26th and gone on Sept. 27th. I have tried reviewing the .sh_history file for each user but have just performed a copy of the .sh_history file of each user to a tmp location and then review the files with vi.
I have done this for the root user as well but notice after the copy that the last timestamp in the file is from yesterday. None of the commands I have run today are there. However if I use the fc command they are shown. My concern is that will be the case for the copy of the other users history file but don't have a way to properly format the history file with fc unless I log in as each user. The other issue I have is some uses history file does not appear to go back that far so I am having to restore from the previously mentioned time frame.
Just looking for any thoughts on how to better come up with an answer. Something had to happen to those files but thus far I am coming up empty.
I think I understand that if someone wanted to delete these files and not be found they could edit their own history file. I don't think it's the case of an on purpose delete as the files are still on the source server which they can delete as well. I can get them back from the source server or from backup but just would like to figure out how they got deleted to avoid this questioning from the customer in the future.
Thanks.
9 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
We have a situation in a large dept of programmers where critical accounting data files were deleted. Is there any way in UNIX to trace deletions and or possibly retrieve the deleted file? (14 Replies)
Discussion started by: cgardiner
14 Replies
2. UNIX for Dummies Questions & Answers
I had a user run, by accident, the following line command on our UNIX server:
rm -f /usr/*
This apparently deleted some needed files on your system. Having very limited knowledge in UNIX, I thought I would ask the group if anyone knows how I can recover these file?
The version of UNIX is... (3 Replies)
Discussion started by: mikem
3 Replies
3. AIX
How to recover deleted files in AIX ? (1 Reply)
Discussion started by: vjm
1 Replies
4. Shell Programming and Scripting
One of the files got deleted and i want to find who deleted that file.
I think we can get the list using history command. Could you please let me know how to get the list of rm commands from history and who previously logged in and did that?
Any other suggestions other than history also... (2 Replies)
Discussion started by: Krrishv
2 Replies
5. UNIX for Dummies Questions & Answers
I mistakenly deleted a script from the UNIX server. Is there any command i can type that i will retrieve my script? (3 Replies)
Discussion started by: manna
3 Replies
6. Shell Programming and Scripting
hi,
if i delete a file from /home/san/abc.cpp in linux/unix
and i want to restore it back
how to do that ? (3 Replies)
Discussion started by: mail2sant
3 Replies
7. UNIX for Dummies Questions & Answers
:eek:
I accidently removed some files using 'rm'. Is there any way to retrieve these files if they were deleted through 'rm'? (1 Reply)
Discussion started by: orahi001
1 Replies
8. UNIX for Advanced & Expert Users
Hi All,
I am using Fedora Core and Windows Xp. I deleted all the files from root
directory. When i am trying to restart the computer it showing some grub > prompt. What i will do ? I have lots of data in XP OS.
Please help me
i used
# rm * (8 Replies)
Discussion started by: pritish.sas
8 Replies
9. Linux
Hello. I am having a problem and I was wondering if I could get some help from here. I changed into a directory with the cd command and I wanted to delete a folder and all of its subdirectories, so I went ahead and did a rm --recursive * in my current directory to realize that I was in the wrong... (3 Replies)
Discussion started by: jonnydadesigner
3 Replies
LEARN ABOUT HPUX
deluser.conf
deluser.conf(5) File Formats Manual deluser.conf(5)
NAME
/etc/deluser.conf - configuration file for deluser(8) and delgroup(8).
DESCRIPTION
The file /etc/deluser.conf contains defaults for the programs deluser(8) and delgroup(8). Each option takes the form option = value. Dou-
ble or single quotes are allowed around the value. Comment lines must have a hash sign (#) at the beginning of the line.
deluser(8) and delgroup(8) also read /etc/adduser.conf, see adduser.conf(5); settings in deluser.conf may overwrite settings made in
adduser.conf.
The valid configuration options are:
REMOVE_HOME
Removes the home directory and mail spool of the user to be removed. Value may be 0 (don't delete) or 1 (do delete).
REMOVE_ALL_FILES
Removes all files on the system owned by the user to be removed. If this option is activated REMOVE_HOME has no effect. Values may
be 0 or 1.
BACKUP If REMOVE_HOME or REMOVE_ALL_FILES is activated all files are backuped before they are removed. The backup file that is created
defaults to username.tar(.gz|.bz2) in the directory specified by the BACKUP_TO option. The compression method is chosen to the best
that is available. Values may be 0 or 1.
BACKUP_TO
If BACKUP is activated, BACKUP_TO specifies the directory the backup is written to. Default is the current directory.
NO_DEL_PATHS
A list of regular expressions, space separated. All files to be deleted in course of deleting home directories or deleting files
owned by the user to be deleted are checked against each of these regular expressions. If a match is detected, the file is not
deleted. Defaults to a list of system directories, leaving only /home.
In other words: By default only files below /home belonging to that specific user are going to be deleted.
ONLY_IF_EMPTY
Only delete a group if there are no users belonging to this group. Defaults to 0.
EXCLUDE_FSTYPES
A regular expression which describes all file systems which should be excluded when looking for files of a user to be deleted.
Defaults to "(proc|sysfs|usbfs|devpts|tmpfs|afs)".
FILES
/etc/deluser.conf
SEE ALSO
adduser.conf(5), delgroup(8), deluser(8)
Debian GNU/Linux Version 3.116ubuntu1 deluser.conf(5)